Bug 1465969
Summary: | Admin URL is exposed as non-SSL (35357) after SSL deployment | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Andreas Karis <akaris> | |
Component: | puppet-tripleo | Assignee: | RHOS Maint <rhos-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Prasanth Anbalagan <panbalag> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 10.0 (Newton) | CC: | emacchi, jjoyce, josorior, jschluet, mburns, mcornea, nkinder, panbalag, rhel-osp-director-maint, slinaber, tvignaud | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | 12.0 (Pike) | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | puppet-tripleo-7.4.3-0.20171019174214.1e9000a.el7ost | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1483749 1483750 (view as bug list) | Environment: | ||
Last Closed: | 2017-12-13 21:33:29 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1483749, 1483750 |
Description
Andreas Karis
2017-06-28 14:35:36 UTC
First deployment: ~~~ openstack overcloud deploy --templates \ -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \ -e ${template_base_dir}/network-environment.yaml \ -e ${template_base_dir}/enable-tls.yaml \ -e ${template_base_dir}/cloudname.yaml \ -e ${template_base_dir}/inject-trust-anchor.yaml \ -e ${template_base_dir}/tls-endpoints-public-dns.yaml \ -e ${template_base_dir}/service-net-map.yaml \ --control-flavor control --compute-flavor compute --ceph-storage-flavor ceph-storage \ --control-scale $control_scale --compute-scale $compute_scale --ceph-storage-scale $ceph_scale \ --ntp-server $ntpserver \ --neutron-network-type vxlan --neutron-tunnel-types vxlan ~~~ ~~~ stack@undercloud-4 templates]$ grep KeystoneAd enable-tls.yaml KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} stack@undercloud-4 templates]$ grep KeystoneAd tls-endpoints-public-dns.yaml KeystoneAdmin: {protocol: 'https', port: '13357', host: 'CLOUDNAME'} ~~~ ~~~ [stack@undercloud-4 templates]$ cat cloudname.yaml parameter_defaults: CloudName: osp.example.net DnsServers: ["192.0.2.1"] PublicVirtualFixedIPs: [{'ip_address':'10.0.0.4'}] ~~~ ~~~ [stack@undercloud-4 templates]$ cat service-net-map.yaml parameter_defaults: ServiceNetMap: KeystoneAdminApiNetwork: external ~~~ Which leads to /etc/haproxy/haproxy.cfg: ~~~ (...) listen keystone_admin bind 10.0.0.4:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 10.0.0.4:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0.external.localdomain 10.0.0.11:35357 check fall 5 inter 2000 rise 2 (...) ~~~ Hi, Second deployment - this should cover the default SSL/TLS deployment as per our documentation: ~~~ openstack overcloud deploy --templates \ -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \ -e ${template_base_dir}/network-environment.yaml \ -e ${template_base_dir}/enable-tls.yaml \ -e ${template_base_dir}/cloudname.yaml \ -e ${template_base_dir}/inject-trust-anchor.yaml \ -e ${template_base_dir}/tls-endpoints-public-dns.yaml \ --control-flavor control --compute-flavor compute --ceph-storage-flavor ceph-storage \ --control-scale $control_scale --compute-scale $compute_scale --ceph-storage-scale $ceph_scale \ --ntp-server $ntpserver \ --neutron-network-type vxlan --neutron-tunnel-types vxlan ~~~ ~~~ [stack@undercloud-1 templates]$ grep KeystoneAd enable-tls.yaml KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} [stack@undercloud-1 templates]$ grep KeystoneAd tls-endpoints-public-dns.yaml KeystoneAdmin: {protocol: 'http', port: '35357', host: 'IP_ADDRESS'} ~~~ Which leads to /etc/haproxy/haproxy.cfg: ~~~ [root@overcloud-controller-0 ~]# cat /etc/haproxy/haproxy.cfg | grep 35357 -B2 -A3 listen keystone_admin bind 10.0.0.4:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 192.0.2.14:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0.ctlplane.localdomain 192.0.2.15:35357 check fall 5 inter 2000 rise 2 listen keystone_public bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem ~~~ The port is now only exposed on the provisioning network: ~~~ [root@overcloud-controller-0 ~]# ss -lntp | grep 35357 LISTEN 0 128 192.0.2.14:35357 *:* users:(("haproxy",pid=158546,fd=28)) LISTEN 0 128 192.0.2.15:35357 *:* users:(("httpd",pid=129493,fd=8),("httpd",pid=129492,fd=8),("httpd",pid=129430,fd=8),("httpd",pid=117868,fd=8),("httpd",pid=117867,fd=8),("httpd",pid=117866,fd=8),("httpd",pid=117865,fd=8),("httpd",pid=117864,fd=8),("httpd",pid=117863,fd=8),("httpd",pid=117862,fd=8),("httpd",pid=117861,fd=8),("httpd",pid=117844,fd=8)) ~~~ So the default deployment is fine. - Andreas Given that this does not happen for our default deployments as documented in the OSP 10 guide ... https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-enabling_ssltls_on_the_overcloud ... but only when users follow the following knowledge base articles: https://access.redhat.com/solutions/2891731 https://access.redhat.com/solutions/2943481 I updated both of them with the following text: ++++++++++++++ ### A word of warning ### Moving the Admin Endpoint to the External API Network will expose the non-encrypted `35357` on the external network as well. While communication over `13357` will be encrypted, users might accidentally connect to `35357`. Administrators should make sure that `35357` on the external network is not accessible by users (e.g., create firewall rules). After a deployment with the method described in this article, `/etc/haproxy/haproxy.cfg` will look similar to the following: ~~~ (...) listen keystone_admin bind 10.0.0.4:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 10.0.0.4:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0.external.localdomain 10.0.0.11:35357 check fall 5 inter 2000 rise 2 (...) ~~~ ++++++++++++++ We may want to investigate this nevertheless: customers often want the admin endpoint on the External network, and in SSL, we need to be able to move the SSL endpoint only without exposing the http endpoint. Seems to me that the fact that it even tries to serve TLS using the public certificate is a bug by itself. It should only serve on one IP. Also, is it really necessary for it to listen on the external IP? It's not meant for public use. If deployers REALLY need it, we could work it out. But I don't suggest we do this. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462 |